Skip to content

Instantly share code, notes, and snippets.

@brainstorm

brainstorm/anritsu_bootlog.txt

Last active April 13, 2020 10:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save brainstorm/5f5902a8e35b50f6cae322d891169f2a to your computer and use it in GitHub Desktop.
Save brainstorm/5f5902a8e35b50f6cae322d891169f2a to your computer and use it in GitHub Desktop.
Download ZIP
Anritsu builtin telnet debugger
Raw
anritsu_bootlog.txt
[25 Sep 2019 at 22:14:46]:
...-> max contiguous free space: 26,544,177,156 bytes
# of files: 1,348
# of folders: 133
total bytes in files: 115,534 Kb
# of lost chains: 0
total bytes in lost chains: 0
Checking for log file (/card0/sys/evt/evt.log)
Purge old events: Found 11 events in the log
Initializing keypad driver
Initializing twiddle driver
CPU PCI Mem Virtual address: 0xa4000000
CPU PCI Reg Virtual address: 0xa7e00000
CPU PCI I/O Virtual address: 0x0
SMI501: PCIMEM:@0xa4000000, ISAMEM:@0x0
DPR:@0xa7f00000,VPR:@0xa7e80040,CPR=0xa7e90000
VRAM=0xa4000000, 8MB
Vgx Set Mode Hardware (800x600x16@60)
Calling findMode...
Setting the mode...
Calling adjustMode...
Calling setModeRegisters...
Control Register >>> 0x3105 <<<
Calling programMode PANEL (regTable->display == PANEL)...
programMode: Getting current config...
programMode: gate == 0x219ff
programMode: clock == 0x221a0801
programMode: power_mode == 0x0
In programMode (regTable->display == PANEL)...
programMode: Programming clock, enable disp cont...
programMode: Calculating frame buffer address...
programMode: Programming panel registers...
programMode: Programming panel disp cont...
Control Register >>> 0x3105 <<<
Control Register Value >>> 0xe013105 <<<
Control Register Value(2) >>> 0xe013105 <<<
programMode: Turning on the panel...
programMode: Filling palette with gamma values...
Calling setModeRegisters(2)...
Calling programMode CRT (regTable->display == CRT)...
programMode: Getting current config...
programMode: gate == 0x219ff
programMode: clock == 0x221a0801
programMode: power_mode == 0x1
In programMode (regTable->display == CRT)...
programMode: Programming CRT mode...
programMode: Filling palette with gamma values...
Setting up memory clock...
Resetting panel frame buffer address...
Setting initialized signature...
After Vgx Set Mode Hardware
Clearing VRAM
mode=0 - Single Screen 800x600 with 16 Bit 5-6-5 RGB
Initializing UGL
SMI_DevCreate: reg_base=0xa7e00000, mem_base=0xa4000000
Detecting video memory...
Verifying coprocessor not busy...
KBD: Setting interrupt level to 14
Displaying splash screen
Entering displaySplashScreen...
Attempting to open AnritsuLogo.bmp
NUMBER OF COLORS 256
Data file size 198400 1078
Read the file
Bitmap Info w: 800 248 colors 256,
Done opening AnritsuLogo.bmp (0xfafae1c)
DESTROYING
HOME FREE
opeing /card0/sys/bmp/MS2721A.bmp
NUMBER OF COLORS 256
Data file size 80500 1078
Read the file
Bitmap Info w: 700 115 colors 256,
DESTROYING
Done displaying splash screen
Animating splash screen
Initializing network...
Attached TCP/IP interface to lnc0.
Initializing DHCP lease (lnc0,0xcb37184,1)
sysSetDHCP: Successful DHCP lease setup
sysSetDHCP: Successful event hook add
sysSetDHCP: gvBeginDHCPLease complete (cookie == 0xfb57e08)
sysSetDHCP: Successful dhcpcBind
sysSetDHCP: ifFlagChange complete
interrupt: HI08: No data to read
SELFTEST STEP 4
Self Test returning 0x00000000
loading base_gui.out
Undefined symbol: _sysSkipDspTest (binding 1 type 0)
Undefined symbol: _sysRWSecurityEnable (binding 1 type 0)
Undefined symbol: _sysRWMWModFpgaVer (binding 1 type 0)
Undefined symbol: _sysRWBerBoardValid (binding 1 type 0)
Undefined symbol: _sysRWBerBoardID (binding 1 type 0)
Undefined symbol: _sysRWBerBoardSN (binding 1 type 0)
Undefined symbol: _eraseAllEEPROM (binding 1 type 0)
Undefined symbol: _MenuButtonEventHandler__17AutomaticFWUpdateUi (binding 1 type 0)
Undefined symbol: _sysRWMWModBoardValid (binding 1 type 0)
Undefined symbol: _sysRWIsdbtBerFpgaVer (binding 1 type 0)
Undefined symbol: _IsTouchScreenPresent (binding 1 type 0)
Undefined symbol: _tScrCal (binding 1 type 0)
Undefined symbol: _sysRWMWModBoardID (binding 1 type 0)
Undefined symbol: _sysRWBerControlFpgaVer (binding 1 type 0)
Undefined symbol: _gstatSetKeypadBkltColor (binding 1 type 0)
Undefined symbol: _sysRWDvbthBerFpgaVer (binding 1 type 0)
Undefined symbol: _sysRWMWModSN (binding 1 type 0)
ld error: Module contains undefined symbol(s) and may be unusable.
loading cst_base.out
Undefined symbol: _configureC120 (binding 1 type 0)
Undefined symbol: _ipcom_accept (binding 1 type 0)
Undefined symbol: _sysRWSecurityEnable (binding 1 type 0)
Undefined symbol: _BootFlashWriteBuf (binding 1 type 0)
Undefined symbol: _sysRWMWModFpgaVer (binding 1 type 0)
Undefined symbol: _ipcom_GetBroadcastAddress (binding 1 type 0)
Undefined symbol: _mountNANDriveBootStrap (binding 1 type 0)
Undefined symbol: _sysRWBerBoardValid (binding 1 type 0)
Undefined symbol: _ipcom_getsockname (binding 1 type 0)
Undefined symbol: _ipcom_shutdown (binding 1 type 0)
Undefined symbol: _wakeBattery (binding 1 type 0)
Undefined symbol: _sysUpdateOSBuffer (binding 1 type 0)
Undefined symbol: _sysRWBerBoardID (binding 1 type 0)
Undefined symbol: _sysRWBerBoardSN (binding 1 type 0)
Undefined symbol: _loadIPLtoMDoc (binding 1 type 0)
Undefined symbol: _internalRWDisabled (binding 1 type 0)
Undefined symbol: _ipcom_connect (binding 1 type 0)
Undefined symbol: _loadSPLtoMDoc (binding 1 type 0)
Undefined symbol: _ipcom_bind (binding 1 type 0)
Undefined symbol: _sysRWMWModBoardValid (binding 1 type 0)
Undefined symbol: _ipcom_send (binding 1 type 0)
Undefined symbol: _ipcom_sendto (binding 1 type 0)
Undefined symbol: _sysRWIsdbtBerFpgaVer (binding 1 type 0)
Undefined symbol: _GetLMRFpgaVer (binding 1 type 0)
Undefined symbol: _ipcom_recv (binding 1 type 0)
Undefined symbol: _sysRWSubnetMask (binding 1 type 0)
Undefined symbol: _sysRWMWModBoardID (binding 1 type 0)
Undefined symbol: _eraseC120 (binding 1 type 0)
Undefined symbol: _mountNANDriveOS (binding 1 type 0)
Undefined symbol: _loadBootStraptoMDoc (binding 1 type 0)
Undefined symbol: _sysRWBerControlFpgaVer (binding 1 type 0)
Undefined symbol: _ipcom_socketclose (binding 1 type 0)
Undefined symbol: _ipcom_socket (binding 1 type 0)
Undefined symbol: _gstatProgramFPGA (binding 1 type 0)
Undefined symbol: _configureC40 (binding 1 type 0)
Undefined symbol: _sysRWDvbthBerFpgaVer (binding 1 type 0)
Undefined symbol: _loadOStoMDoc (binding 1 type 0)
Undefined symbol: _ipcom_listen (binding 1 type 0)
Undefined symbol: _sysRWMWModSN (binding 1 type 0)
Undefined symbol: _sysRWMWModFpgaID (binding 1 type 0)
Undefined symbol: _sysIsNANDrivePresent (binding 1 type 0)
DHCP Lease Successful
ld error: Module contains undefined symbol(s) and may be unusable.
Label #0 (0xfb37c00) == VERSION=V5.71
Label #0 (0xfb37bd4) == VERSION=V5.71
(...)
got OS version V2.06
Label #0 (0xfb37c00) == VERSION=V5.73
(...)
Raw
anritsu_debug.txt
-> dbgHelp
dbgHelp Print this list
dbgInit Install debug facilities
b Display breakpoints and eventpoints
b addr[,task[,count]] Set breakpoint
e addr[,eventNo[,task[,func[,arg]]]]] Set eventpoint
bd addr[,task] Delete breakpoint
bdall [task] Delete all breakpoints and eventpoints
c [task[,addr[,addr1]]] Continue from breakpoint
cret [task] Continue to subroutine return
s [task[,addr[,addr1]]] Single step
so [task] Single step/step over subroutine
l [adr[,nInst]] List disassembled memory
tt [task] Do stack trace on task
bh addr[,access[,task[,count[,quiet]]]] Set hardware breakpoint
access values:
- Break on any access ( 00)
- Break on instruction fetch ( 01)
- Break on data access ( 10)
- Bus cycle any ( 00 )
- Bus cycle read ( 01 )
- Bus cycle write ( 10 )
- Operand size any ( 00 )
- Operand size byte ( 01 )
- Operand size word ( 10 )
- Operand size long ( 11 )
- CPU access ( 00 )
- DMAC access ( 01 )
- CPU or DMAC access ( 10 )
- IBUS ( 00 )
- XBUS ( 01 )
- YBUS ( 10 )
*Not all access combinations are supported by all SuperH CPUs.
Use of an invalid combination is not always reported as an error.
r0-r15,sr,gbr,vbr,mach,macl,pr,pc [task] Get a register of a task
value = 1366 = 0x556
Raw
anritsu_listing.txt
-> l 0x0f943390,100
f943390 2008 tst r0,r0
f943392 8b04 bf +8 (==> 0x0f94339e)
f943394 d265 mov.l @(0x194,pc),r2 (= 0x0c3e1920 = _strcpy)
f943396 d166 mov.l @(0x198,pc),r1 (= 0x0f9d04bc)
f943398 d566 mov.l @(0x198,pc),r5 (= 0x0f9aa3f4)
f94339a 420b jsr @r2
f94339c 6412 (mov.l @r1,r4)
f94339e d166 mov.l @(0x198,pc),r1 (= 0x0f964de0 = _initializeMemBuffers)
f9433a0 410b jsr @r1
f9433a2 0009 (nop )
f9433a4 d165 mov.l @(0x194,pc),r1 (= 0x0c43e2a0 = _taskIdSelf)
f9433a6 410b jsr @r1
f9433a8 0009 (nop )
f9433aa d165 mov.l @(0x194,pc),r1 (= 0x0c3e8ee0 = _ioTaskStdGet)
f9433ac 6403 mov r0,r4
f9433ae 410b jsr @r1
f9433b0 e501 (mov #1,r5)
f9433b2 d864 mov.l @(0x190,pc),r8 (= 0x0c040900 = _sysGetTurnOnMode)
f9433b4 480b jsr @r8
f9433b6 0009 (nop )
f9433b8 8802 cmp/eq #0x2,r0
f9433ba 8b11 bf +34 (==> 0x0f9433e0)
f9433bc d162 mov.l @(0x188,pc),r1 (= 0x0f93be60 = _gvFactoryDefaults)
f9433be 410b jsr @r1
f9433c0 0009 (nop )
f9433c2 a015 bra +42 (==> 0x0f9433f0)
f9433c4 0009 (nop )
Raw
anritsu_task_information.txt
-> ti
NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
tBigBrother_tBigBrother fb3fb88 100 SUSPEND 4 fb3fb20 0 0
stack: base 0xfb3fb88 end 0xfb35f48 size 39852 high 840 margin 39012
options: 0xc
VX_DEALLOC_STACK VX_FP_TASK
VxWorks Events
--------------
Events Pended on : Not Pended
Received Events : 0x0
Options : N/A
r0 = 8c000000 r1 = 0 r2 = c446460 r3 = 400001f0
r4 = 20 r5 = 0 r6 = fb3fb88 r7 = 1e0
r8 = c3e4ac0 r9 = 0 r10 = 0 r11 = 0
r12 = c3e4ac0 r13 = f3cfb80 r14 = fb3fb20 r15/sp = fb3fb20
gbr = ff000000 vbr = 8c000000 mach = 0 macl = 20
pr = f943390 sr = 0 pc = 4
fpul = 0 fpscr = 80000
fr0 = NaN fr1 = NaN fr2 = NaN fr3 = NaN
fr4 = NaN fr5 = NaN fr6 = NaN fr7 = NaN
fr8 = NaN fr9 = NaN fr10 = NaN fr11 = NaN
fr12 = NaN fr13 = NaN fr14 = NaN fr15 = NaN
xf0 = NaN xf1 = NaN xf2 = NaN xf3 = NaN
xf4 = NaN xf5 = NaN xf6 = NaN xf7 = NaN
xf8 = NaN xf9 = NaN xf10 = NaN xf11 = NaN
xf12 = NaN xf13 = NaN xf14 = NaN xf15 = NaN
Reserved Instruction Codevalue =
EXPEVT Register: 0x000000180
= 0xProgram Counter: 0x000000004
Status Register: 0x
0000000-> 0
Raw
firmware_unpack.txt
$ wget http://dl.cdn-anritsu.com/en-us/test-measurement/files/Software/Drivers-Software-Downloads/MS2721B_V1.51_USBLoader.exe
$ r2 MS2721B_V1.51_USBLoader.exe
[0x004067cc]> izzq~MSCF
0x42686f 6 5 PMSCF
[0x0042686f]> s 0x00426870
[0x00426870]> pm
0x00426870 1 Microsoft Cabinet archive data, 20011963 bytes, 7 files
[0x00426870]> px 10
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00426870 4d53 4346 0000 0000 bb5b MSCF.....[
[0x00426870]> pm | awk '{ print $7 }'
20011963
[0x00426870]> wtf firmware.cab 20011963
Dumped 20011963 bytes from 0x00426870 into firmware.cab
Raw
usbloader_cabextract.txt
$ brew install cabextract
$ cabextract firmware.cab
Extracting cabinet: firmware.cab
extracting V1.51_MS2721B.zip
extracting V1.51_MS2721B_Customer_Service_Revision.txt
extracting instructions.rtf
extracting ANRITSU COMPANY FREE SOFTWARE LICENSE AGREEMENT.rtf
extracting USBLoader.exe
extracting info.txt
extracting master.txt
All done, no errors.
$ unzip V1.51_MS2721B.zip
(...)
inflating: SH4/BASE/sys/base/cst_base.out
inflating: SH4/OS/VxWorks.bin
(...)
Raw
vxhunter_vxworks.txt
$ r2 -a sh -b 32 ~/dev/anritsu/firmware/fresh/OS/VxWorks.bin
-- r2 is meant to be read by machines.
[0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py
Running with python version: 3.7.3 | packaged by conda-forge | (default, Jul 1 2019, 14:38:56)
[Clang 4.0.1 (tags/RELEASE_401/final)]
Auto detected VxWorks version: 5
firmware_path: /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0xba1eb8
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0xbd61c8
[INFO ][vxhunter_r2_py3._check_vxworks_endian] VxWorks endian: Little endian
###### Start analyze firmware ######
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x80002000
[INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x10000
[INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x1000
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0xf2003fe4
[INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x100000
[INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x107fe0
[INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table start address at 0xa90d48
[INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table end at 0xae60f3
[INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found a string tab at: 0xa90d4c to 0xae60f3
[INFO ][vxhunter_r2_py3.find_loading_address] Start analyse
[INFO ][vxhunter_r2_py3.find_loading_address] load address is :0xbffd998
Found VxWorks image load address: 0x0BFFD998
Found VxWorks symbol table from 0x00BA1EB8 to 0x00BD61C8
###### Rebase current firmware ######
All core files, io, anal and flags info purged.
Rebase with r2 command: o /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin 0xbffd998 r-x
###### Start analyzing functions######
af: Cannot find function at 0x0c40e662
af: Cannot find function at 0x0c40d906
af: Cannot find function at 0x0c4016a0
(...)
af: Cannot find function at 0x0c416692
af: Cannot find function at 0x0c40fcc0
/\.---./\ .---------------------------------------------------------------.
'-- = = --' | |
---- Y ---- < Finished, VxHunter found 12610 functions and 1962 symbols ^_^ |
_.- U -._ | |
`---------------------------------------------------------------'
[0x00000000]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment